MasterCard's 'Selfie' App Aims to Replace Passwords

To boost security and eliminate the need for passwords, MasterCard plans to roll out later this year a facial biometrics app for authentication of online purchases. But some security and financial fraud experts warn that biometrics technology is not foolproof and should only be deployed as part of a layered authentication approach.

"Biometric authentication is not a panacea, and won't solve all of our authentication and fraud problems," says Avivah Litan, a financial fraud expert and analyst with the consultancy Gartner. "For that, banks certainly need a layered approach. But we must not forget that biometric authentication is still a heck of a lot more secure than passwords are."

Consumers using the new app, called MasterCard Identity Check, are asked to verify their online purchase by taking a "selfie" with their smartphone, blinking during image capture to ensure the image is being taken in real time, the card brand explains.

MasterCard claims that a four-month pilot of the technology at First Tech Federal Credit Union, a California-based institution with $8.6 billion in assets, was successful based on its perceived ease of use and superiority to passwords. First Tech plans to launch a market-ready implementation of the Identity Check mobile app during the second half of 2016.

Amsterdam-based ABN AMRO Bank, with $452.6 billion in assets, also tested the technology. "Nine out of 10 participants indicate that they would like to replace their password with biometric identification," MasterCard says of the Dutch pilot. But it did not reveal whether the bank would be rolling out the new app.

First Tech and MasterCard did not respond to ISMG's request for further comment.

Biometrics' Security Concerns

Although biometrics can help improve the security of payment transactions, the greatest concern is where and how the information collected is stored, says Ben Desjardins, director of security solutions for online security firm Radware.

"It's important to keep in mind that, by and large, the biometric inputs ... are being turned into bits and bytes that a machine can read and decide whether or not to authenticate," he says. "Once captured and stored, they are at risk from the myriad threats targeting any other piece of data. ... The biggest risks around biometric identification are similar to other forms of authentication. Biometrics definitely create a greater barrier, in terms of use of the data, if captured; and ideally they should be used as part of a multifactor authentication system, so to some degree their use is about keeping ahead of the pack, in terms of being an easy target."

But David Lott, a payments risk expert at the Federal Reserve Bank of Atlanta, says stealing biometrics data is far from easy.

"In most authentication systems used for payments, an image of the physical element is captured but then converted through a highly complex algorithm to a template," Lott says. "So the cybercriminal would have to be able to gain knowledge of the algorithm, break the encryption, and even then the ability to actually reproduce the image with a level of accuracy that would defeat the system is questionable."

Lott also says vendors specializing in facial and iris recognition "are very well aware of the possible ways to compromise the system and have built in detection capabilities, particularly in the use of photographs and video. All authentication methodologies, including biometrics, can be defeated given time and money. That is one reason why the FFIEC [Federal Financial Institutions Examination Council], in their online banking guidelines, recommends multifactor authentication."

Growing Interest

While MasterCard has emerged as a global leader in boosting the use of biometrics for financial applications, a number of other payments and service providers around the world are deploying similar solutions - illustrating the growing interest in biometrics authentication, Lott says.

"There are plenty of other stakeholders," he says. "Hundreds of thousands of ATMs in Brazil, India and Japan have been using biometrics, either solely or in conjunction with other authentication techniques, for some time to authenticate the customer at their ATMs, as an example."

Shirley Inscoe, an analyst at the consultancy Aite, suggests that biometrics authentication should be paired with other methods.

"Requiring the user to blink, or verify there is a temperature with an applied fingerprint, is a liveness test that definitely limits risk," Inscoe says. "But if the biometric is also paired with device identification, this is as secure as you can get. Identifying a known device associated with a consumer, along with a biometric with liveness test is more secure than any payment mechanism consumers are using today. Passwords are totally insecure, and the faster they are eliminated, completely, the better off e-commerce will be."

Tom Wills, a payments expert and director of Ontrack Advisory, a consultancy focused on payments innovation, predicts that MasterCard "will almost certainly be including other controls along with the photo - for example, the mobile-device fingerprint, geolocation of the device, etc. MasterCard understands more than most the need to build security in layers, and the 'selfie' capture feature will be just one layer among several."

About the Author

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;